forked from rod-trent/SentinelKQL
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDataIngestEstimation.txt
30 lines (23 loc) · 1.34 KB
/
DataIngestEstimation.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
//This solution looks at the average size per record in a table, then take that number and apply it to the logs you want to ingest.
//Average size per record. Run this in Log Analytics.
let TotalSizeInKb = toscalar( Usage
| where TimeGenerated >= ago(30d)
| summarize TotalSizeInKb=sum(Quantity*1024) by DataType
| where DataType == "DeviceEvents"
| project TotalSizeInKb
);
let NumOfRecords = toscalar( DeviceEvents
| where TimeGenerated >= ago(30d)
| summarize NumOfRecords=count()
);
let AvgSizeInKb = todecimal(TotalSizeInKb / NumOfRecords);
print AvgSizePerRecordInKb=AvgSizeInKb
//Take the above number and apply to the total records for the sources you want to ingest. The following example is for Defender for Endpoint. Run it in the Advanced Hunthing area at security.microsoft.com
DeviceEvents
| union DeviceFileEvents, DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceFileCertificateInfo
| count
//Using the estimate_data_size to get Log sizes for Defender for Endpoint
DeviceEvents
| union DeviceFileEvents, DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceFileCertificateInfo
| project size = estimate_data_size(*)
| summarize TableSizeInMB = sum(size)/1000/1000